This message was deleted.
# rke2a
adamant-kite-43734
09/19/2022, 6:04 PMThis message was deleted.
c
creamy-pencil-82913
09/19/2022, 6:07 PMWhen you say the custom cluster registration URL, you mean the one that lets you download the Rancher installation manifest for application to the downstream cluster?
creamy-pencil-82913
09/19/2022, 6:07 PMRKE2 agents should be pointed at an RKE2 server, not at Rancher.
b
bright-whale-83501
09/19/2022, 6:13 PMI mean cluster management -> clusters -> registration. Step 2, I copy the url with curl.exe and paste it into my windows worker.
bright-whale-83501
09/19/2022, 6:13 PMwins-agent-install.ps1
c
creamy-pencil-82913
09/19/2022, 6:27 PMyes, that should work, if you’re using Rancher for provisioning
creamy-pencil-82913
09/19/2022, 6:28 PMthe RKE2 docs don’t cover Rancher provisioning. They only cover standalone RKE2 clusters. Rancher docs in Rancher docs, RKE2 docs in RKE2 docs.
b
bright-whale-83501
09/19/2022, 6:29 PMI do. But I've had a horrible time getting things to work. Biggest problem is our self signed CA, I pass --insecure to rancher but it does not matterr. So I swapped out curl.exe in windows with 2 releases newer, and that version accept our ca, if I rebuild the cerrtificate-bundle in windows.
bright-whale-83501
09/19/2022, 6:30 PMBut the installation process ends up in a loop right after calico cni have been brought alive. kubelet.exe are extracted again, and cant be replaced on the disk, since kubelet.exe are already executing in windows.
bright-whale-83501
09/19/2022, 6:30 PMIf I manually kill that process and delete kubelet.exe, the installer continues. But ends up in a loop
bright-whale-83501
09/19/2022, 6:31 PMLooking at the logs in windows I think this is the main error, but I dont know how/where to poke to solve it:
"Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash. Use the full token from the server's node-token file to enable Cluster CA validation"
bright-whale-83501
09/19/2022, 6:44 PMAmazing. I think I solved the last hurdle. I added --insecure into the part that downloads kubeconfig from rancher.
bright-whale-83501
09/19/2022, 6:50 PMit's very strange. Even thou I run my own curl.exe, that have curl-ca-bundle.crt in the same folder it did not accept our CA. All previous curl.exe calls, utilize curl-ca-bundle.crt, For the record, its function Get-RancherConnectionInfo that I needed to add --insecure into
c
creamy-pencil-82913
09/19/2022, 7:08 PMah yeah, there may be issues with proxies and custom CAs on Windows. I know that the golang crypto libs don’t make it easy to interact with the Windows certificate store.
b
bright-whale-83501
09/19/2022, 7:28 PMits curl.exe that (this time) didnt play with the certstore, at all
bright-whale-83501
09/19/2022, 7:29 PMmost google hits, gladly tell you to just add -k or --insecure. But I wanted to pass my ca cert. Almost worked